Adding Zope 2 permissions using just ZCML and a Generic Setup profile

Short story

To add Zope 2 permissions without creating a Zope 2 package and adding them manually in the Install.py file, we configure the permissions in the main configure.zcml file of our package, or in a dedicated permissions.zcml. Then we map the permissions to roles and we're done. You might want to take a look at Products.Five's configure.zcml, permissions.zcml and the method create_permission_from_permission_directive in security.py.

Short-ish story

In pre Zope 2.12, we need collective.autopermissions to automate the creation of the defined permissions. Zope 2.12 includes that functionality, so we are almost done :)

In configure.zcml we include permissions.zcml before our profiles.

configure.zcml

<include package=".permissions" />
 
 <genericsetup:registerProfile
 name="default"
 title="plone.app.collection"
 directory="profiles/default"
 description="plone.app.collection profile"
 provides="Products.GenericSetup.interfaces.EXTENSION"
 />

Our permissions.zcml contains the definitions of the permissions. Permissions do not need a containing node, so the following will do.

Note: the id attribute is the Zope 3 identifier and title is the Zope 2 identifier.

permissions.zcml

<permission
 id="plone.app.collection.addCollection"
 title="plone.app.collection: Add Collection"
 />
 <permission
 id="plone.app.collection.addSomething"
 title="plone.app.collection: Add something"
 />
 <permission
 id="plone.app.collection.addEvenMore"
 title="plone.app.collection: Add even more"
 />

In our profile we have a rolemap.xml to set the role/permission mappings. Make sure that the name attribute corresponds to the title attribute in permissions.zcml

rolemap.xml

<rolemap>
 <permissions>
 <permission
 name="plone.app.collection: Add Collection"
 acquire="True">
 <role name="Manager" />
 </permission>
 </permissions>
</rolemap>